Tag: compliance

  • Interesting Things of the Week for February 17, 2023

    Security Implementation with Red Hat OpenShift on IBM Power Systems

    …As with any production system, it is important to ensure the security of an OpenShift deployment. This includes secure deployment and configuration of the OpenShift components, as well as ongoing maintenance and monitoring to ensure the continued security of the environment. This Redpaper publication provides a comprehensive overview of the security best practices for deploying Red Hat OpenShift on IBM Power systems…

    IBM Redpaper: https://www.redbooks.ibm.com/redpieces/abstracts/redp5690.html

    The IBM RedPaper is pretty comprehensive on Securing OpenShift (note it’s a draft).

    Power Developer Exchange: Installing single node OpenShift to PowerVM

    CHONGSHI ZHANG shows how to install a SNO (single node OpenShift) to a PowerVM instance. It’s very powerful for development and other purposes.

    IBM Power Developer Exchange: https://community.ibm.com/community/user/powerdeveloper/blogs/chongshi-zhang/2023/02/09/installing-sno-to-powervm

    The Power Developer Exchange has a detailed approach to Single Node OpenShift.

    A script to rotate Encryption keys for etcd

    oc patch kubeapiserver cluster --type merge -p "
    spec:
      unsupportedConfigOverrides:
        encryption:
          reason: force KAS rotation `date`
    "
    Rotating Encryption Keys on OpenShift etcd https://patch-diff.githubusercontent.com/raw/ocp-power-automation/ocp4-playbooks-extras/pull/45.patch

    The above code is super handy for rotating the etcd encryption keys.

    Red Hat updated the oc-compliance kubectl plugin.

    RHEA-2023:0797 https://access.redhat.com/errata/RHEA-2023:0797

    oc-compliance is now updated.

    Error: creating build container: copying system image from manifest list: Source image rejected: None of the signatures were accepted

    [2/2] STEP 1/4: FROM registry.access.redhat.com/ubi8/ubi:8.7-1054.1675788412
    Trying to pull registry.access.redhat.com/ubi8/ubi:8.7-1054.1675788412...
    Error: creating build container: copying system image from manifest list: Source image rejected: None of the signatures were accepted, reasons: open /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta: no such file or directory; open /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta: no such file or directory; open /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta: no such file or directory; open /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta: no such file or directory; open /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta: no such file or directory; open /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta: no such file or directory

    You can then override the trust

    # podman image trust set -t reject default
    # podman image trust set -f /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release -t signedBy registry.access.redhat.com
    # podman image trust show 
    https://access.redhat.com/solutions/5525441

    The latest podman runs into some issues with trusting sources.

    Error: error copying image "78b2869b282bf2f28a5e873d6ade079e83d77765223c7bcd180b77cbc8fe4751": Source image rejected: Running image containers-storage:[overlay@/var/lib/containers/storage+/var/run/containers/storage:overlay.mountopt=nodev,metacopy=on]@78b2869b282bf2f28a5e873d6ade079e83d77765223c7bcd180b77cbc8fe4751 is rejected by policy.

    In podman, you might hit the above, and need to switch to insecureAcceptAnything when you do a podman push.

    You’ll want to modify /etc/containers/policy.json default from type reject to insecureAcceptAnything

        "default": [
            {
                "type": "insecureAcceptAnything"
            }
  • How to use OpenScap Scanner on a Mac

    For those, not yet using openscap-scanner on their systems, OpenSCAP is an security auditing framework that utilizes the Extensible Configuration Checklist Description Format (XCCDF) and the openscap-scanner executes over the security profile on a target system.

    One gotcha, I have a Mac, and the tool is not natively supported on the Mac. I decided to use it through a fedora container running in Podman.

    Here are the steps to running on a Mac with complianceascode/content‘s release.

    Steps

    1. Download the Docker File
    2. Build the Image
    $ podman build -f Dockerfile -t ocp-power.xyz/compliance/openscap-wrapper:latest
    ...
    
    1. Download the content files scap-security-guide-0.1.65.zip
    $ curl -O -L https://github.com/ComplianceAsCode/content/releases/download/v0.1.65/scap-security-guide-0.1.65.zip
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
      0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
    100  130M  100  130M    0     0  2752k      0  0:00:48  0:00:48 --:--:-- 5949k
    
    1. Unzip the scap-security-guide-0.1.65.zip file.
    $ unzip scap-security-guide-0.1.65.zip
    
    1. Rename the directory scap-security-guide-0.1.65 to scap
    $ mv scap-security-guide-0.1.65 scap
    
    1. List the profiles in a specific XML.
    $ podman run --rm -v ./scap:/scap ocp-power.xyz/compliance/openscap-wrapper:latest oscap info --profiles /scap/ssg-ocp4-ds.xml
    xccdf_org.ssgproject.content_profile_cis-node:CIS Red Hat OpenShift Container Platform 4 Benchmark
    xccdf_org.ssgproject.content_profile_cis:CIS Red Hat OpenShift Container Platform 4 Benchmark
    xccdf_org.ssgproject.content_profile_e8:Australian Cyber Security Centre (ACSC) Essential Eight
    xccdf_org.ssgproject.content_profile_high-node:NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Node level
    xccdf_org.ssgproject.content_profile_high:NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Platform level
    xccdf_org.ssgproject.content_profile_moderate-node:NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Node level
    xccdf_org.ssgproject.content_profile_moderate:NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Platform level
    xccdf_org.ssgproject.content_profile_nerc-cip-node:North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the  Red Hat OpenShift Container Platform - Node level
    xccdf_org.ssgproject.content_profile_nerc-cip:North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the  Red Hat OpenShift Container Platform - Platform level
    xccdf_org.ssgproject.content_profile_pci-dss-node:PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform 4
    xccdf_org.ssgproject.content_profile_pci-dss:PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform 4
    
    1. Details on the profile
    $ podman run --rm  -v ./scap:/scap ocp-power.xyz/compliance/openscap-wrapper:latest oscap info --profile xccdf_org.ssgproject.content_profile_cis-node /scap/ssg-ocp4-ds.xml
    Document type: Source Data Stream
    Imported: 2022-12-02T19:09:36
    
    Stream: scap_org.open-scap_datastream_from_xccdf_ssg-ocp4-xccdf.xml
    Generated: (null)
    Version: 1.3
    Profile
            Title: CIS Red Hat OpenShift Container Platform 4 Benchmark
            Id: xccdf_org.ssgproject.content_profile_cis-node
    
            Description: This profile defines a baseline that aligns to the Center for Internet Security® Red Hat OpenShift Container Platform 4 Benchmark™, V1.1.  This profile includes Center for Internet Security® Red Hat OpenShift Container Platform 4 CIS Benchmarks™ content.  Note that this part of the profile is meant to run on the Operating System that Red Hat OpenShift Container Platform 4 runs on top of.  This profile is applicable to OpenShift versions 4.6 and greater.
    
    1. Now, I can run more advanced commands on the profiles on my Mac.
    $ podman run --rm  -v ./scap:/scap ocp-power.xyz/compliance/openscap-wrapper:latest oscap oval generate report /scap/ssg-ocp4-ds.xml 2>&1
    

    References

    1. OpenScap Downloads
    2. OpenScap source code
    3. OpenScap Manual Source
    4. OpenScap Manual Published

    Notes

    Note, I found I had to do the following on my Mac to get the volume to mount.

    $ podman machine stop
    $ podman machine set --rootful
    $ podman machine start
    $ sudo /opt/homebrew/Cellar/podman/4.3.1/bin/podman-mac-helper install
    $ podman machine stop; podman machine start
    
  • Downloading oc-compliance on ppc64le

    My team is working with the OpenShift Container Platforms Optional Operator – Compliance Operator. The Compliance Operator has a supporting tool oc-compliance.

    One tricky element was downloading the oc-compliance plugin and I’ve documented the steps here to help

    Steps

    1. Navigate to https://console.redhat.com/openshift/downloads#tool-pull-secret

    If Prompted, Login with your Red Hat Network id.

    1. Under Tokens, select Pull secret, then click Download

    2. Copy the pull-secret to your working directory

    3. Make the .local/bin directory to drop the plugin.

    $ mkdir -p ~/.local/bin
    
    1. Run the oc-compliance-rhel8 container image.
    $ podman run --authfile pull-secret --rm -v ~/.local/bin:/mnt/out:Z --arch ppc64le registry.redhat.io/compliance/oc-compliance-rhel8:stable /bin/cp /usr/bin/oc-compliance /mnt/out/
    Trying to pull registry.redhat.io/compliance/oc-compliance-rhel8:stable...
    Getting image source signatures
    Checking if image destination supports signatures
    Copying blob 847f634e7f1e done  
    Copying blob 7643f185b5d8 done  
    Copying blob d6050ae37df3 done  
    Copying config 2f0afdf522 done  
    Writing manifest to image destination
    Storing signatures
    
    1. Check the file is ppc64le
    $ file ~/.local/bin/oc-compliance 
    /root/.local/bin/oc-compliance: ELF 64-bit LSB executable, 64-bit PowerPC or cisco 7500, version 1 (SYSV), dynamically linked, interpreter /lib64/ld64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=d5bff511ee48b6cbc6afce6420e780da2f0eacdc, not stripped
    

    If it doesn’t work, you can always verify your architecture of the machine podman is running on:

    $ arch
    ppc64le
    

    It should say ppc64le.

    You’ve seen how to download the ppc64le build.

    References